diff --git a/.gitignore b/.gitignore index 423b41cf..2658f984 100644 --- a/.gitignore +++ b/.gitignore @@ -3,3 +3,4 @@ /.direnv/ /wiki .DS_Store +.terraform diff --git a/.sops.yaml b/.sops.yaml index 58810a85..4dcabbf6 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -31,3 +31,7 @@ creation_rules: shamir_threshold: 1 key_groups: - pgp: *pgp_common +- path_regex: tf/terraform.tfvars.sops$ + shamir_threshold: 1 + key_groups: + - pgp: *pgp_common diff --git a/README.md b/README.md new file mode 100644 index 00000000..72011b90 --- /dev/null +++ b/README.md @@ -0,0 +1,17 @@ +# gensokyo.zone's Infrastructure + +Welcome to the Palace of the Earth Spirits! + +## Contribution Guidelines + +### Nix + +* Please use [alejandra](https://github.com/kamadorueda/alejandra) as your source formatter. +* Please check for dead code paths with [deadnix](https://github.com/astro/deadnix). +* Please use [statix](https://github.com/nerdypepper/statix) as your linter. + +### Terraform + +* Please use `terraform fmt` to format your Terraform work. +* Please use [tflint](https://github.com/terraform-linters/tflint) as your linter. +* Please do not merge into files by category (e.g. variables, outputs, locals). diff --git a/systems/mediabox/nixos.nix b/systems/mediabox/nixos.nix index 556abde9..f0067072 100644 --- a/systems/mediabox/nixos.nix +++ b/systems/mediabox/nixos.nix @@ -14,6 +14,7 @@ nixos.plex nixos.tautulli nixos.ombi + nixos.deluge # yarr harr fiddle dee dee >w< nixos.radarr @@ -40,6 +41,7 @@ "radarr.gensokyo.zone".service = "http://localhost:7878"; "bazarr.gensokyo.zone".service = "http://localhost:6767"; "jackett.gensokyo.zone".service = "http://localhost:9117"; + "deluge.gensokyo.zone".service = "http://localhost:9117"; }; }; }; diff --git a/systems/mediabox/secrets.yaml b/systems/mediabox/secrets.yaml index 55c3a6a6..366b339b 100644 --- a/systems/mediabox/secrets.yaml +++ b/systems/mediabox/secrets.yaml @@ -1,4 +1,5 @@ tailscale-key: ENC[AES256_GCM,data:TnXZW2c5NhMYHutOdDn8NG5RcdcNTzcTXuC27Ir+OO/4abF0rCEts1A=,iv:OK2nUBJ6LyP9w9L05JGtHe5rxmfoNyk8+zF6M6jYIG8=,tag:McbAMcTJ93C5OluGzYMvCw==,type:str] +deluge-auth: ENC[AES256_GCM,data:C+d1Ft8vhMm+AMe6cEKoEVteN4+1QKEpZhCKUrrah/qh0m0WK97LaDiRQ6RBBPFyIKDYElGLDvuLVXWYqe6cgLLqXZZiQtrg9JvrTA==,iv:+FJtxz5KKjOoQeJ8KTP6aTTWimllNRAqyn88o78bYLw=,tag:mzDbhEayBR+j3cbBs9B4pw==,type:str] cloudflare_mediabox_tunnel: ENC[AES256_GCM,data:8evCY9lil+SYHTfaHOj8ULYFAX9Q5HHj/caZtfEsG30UiLZCThLWAXUA0FmKgIr8TNAz1tt9ySAaoUyDUFs6leV+FNqUv6fsJGKXQ039+s5YiGZzbKpG6EltDjJ8DYLl8JXuxMxOCsbbAsuhCmzUC8T2jbduxrb1f+nu7e7W6c+j8/5+ujH+Bk3mcd65s5/29Z6bwRhHjCwLDqNwnsI84FOIf8O9JrVXbfWmL33/plxo/xVwo7muffHFPFah8zIMNglg+teM,iv:YBRiJ2WzXsntH13Jv9o8XaNe12hS+VyKjAsbBc3o0EQ=,tag:hLywh0v+SfPkE7p+PLQItw==,type:str] sops: shamir_threshold: 1 @@ -16,8 +17,8 @@ sops: aDVRZTJtTzh5aElnN3hpcitZWmluQ3MK/je9HcOaN+DiSi2JsCThRXOEbydNQcRM ZBjYlbtPILMjrn4NoUtxnwbmm7vNgGdXVu7EDfQ0OxjWbo9Cv95WZg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-01-12T05:09:30Z" - mac: ENC[AES256_GCM,data:WBT09CBeXUGOPP7OeJHPOEXVjP39jY+XyvDBniHlWOUFsHQn8N9wCRQ9OfJflw5CHmpxRlQvlzROhEoXvx4dgrEzDB0s6tkoTPkXAsMvTZAJVPl99XcOtmAodzAtn6ejsVnKp5f5EGKEubENsK1RvgzKS4oUoA18l8cAgvnq3kQ=,iv:XM54p8iSKzUNUSUbvanhYtjVrfTTWO3Wjyxnw8UFQ+k=,tag:2kPmBVFBoowqfymQCHAFvQ==,type:str] + lastmodified: "2024-01-14T18:59:05Z" + mac: ENC[AES256_GCM,data:mgYOakhFPkZJgNPiQiqZlZrOpQutTUFi2w3bZCTXj7XPqFk8odcbOn6L0X9ag0j65mP7QqyC9hSI9Q8jEGUAGbmI9WaLsnmrTLoQOL9vSaXmWsd2BQLCJORBT2XMO8DASweOh6gfVNodcyOb4dSZe9voessli0OO5tnKpaCWLuw=,iv:fnB4pfo9tsweWhEUI1rRaXzSqS0VdTePnCJkk7OKYe4=,tag:EXq2/lyi39wnAlKLwg29vw==,type:str] pgp: - created_at: "2024-01-11T22:30:58Z" enc: |- diff --git a/systems/tewi/secrets.yaml b/systems/tewi/secrets.yaml index 31d6d862..453c0755 100644 --- a/systems/tewi/secrets.yaml +++ b/systems/tewi/secrets.yaml @@ -2,7 +2,6 @@ tailscale-key: ENC[AES256_GCM,data:dGqnKoCFSF6ZmeptOP7bGy4HYDdUCC1oTdXpiUURDgXl/ openiscsi-config: ENC[AES256_GCM,data:xyZVJRzR4vK+UAtq3+/QcszLIlcHXYifHnFKm5tVbFUj3c7PjxYGLkvXZfFvERStewdNIQ==,iv:BcbEupXiLECXwfETaVOqfHQ+vkBbrGxkQn54WBYug54=,tag:e0cddYTQAfzSk2AhvzJFvA==,type:str] openiscsi-env: ENC[AES256_GCM,data:uAlnrtk64UQukKBWHYrH5J4Ys+GIpu5zDg==,iv:7ahUk9nocs4cSgtr/A4G0Xhlp7pZj/bUlUDLMMYEAMk=,tag:rE2mdBGT3kZqyoDIaKUY3w==,type:str] systemd2mqtt-env: ENC[AES256_GCM,data:Zo3+acCcMWgai2ERKbmOlI0hvdkOlNviBqeLb1ALuA==,iv:NxXBDCEevBRqMDY9/3z/Uq2+vENswkYTgTa82wKc32U=,tag:01WUphYRJrwmHv9HE4ac8w==,type:str] -deluge-auth: ENC[AES256_GCM,data:qJP/CztnN7RV4Z3pP+jbH1B0zzBm8oa3n3X0pecEVe7UI3+NOSwFaQCBD7Q7JDxzh+qTNdQ/wWi7w0XJDG+aRIikgDG28S9RjdPL/w==,iv:GUEwmuk3JWMgsXsDgDrObW657WcN6wcYAsgXhK4Dvx0=,tag:vZMQ67j5kWBWOa6ZqCaQHw==,type:str] postgresql-init: ENC[AES256_GCM,data:40s9cdfJMcKjfNBNQikpAY6FZ0cgVEGC52fnXwH3jC5d9qI56hIv84ZZhZ3/kVyxSwpQL+pY0DxNjAKMqLpXx/Ujsp4=,iv:Cj7RPBM7tzTb4jBONM8DYWuJ/STRj6vO2ZU2MTkBPCM=,tag:rq7ROGRyjVZulDDof8qKDg==,type:str] sops: shamir_threshold: 1 @@ -29,8 +28,8 @@ sops: VndVTG0zQWhsUHcwTkFjK2ZPdzRPUUEKJ3flgZ6/s+TjlFgzsANYaOFiEPQuE4zR 7npNUDFLe26Q32G3j/lLSBzZZfKoOC5SOSp9TB8eWMYSxfNnXEIu0g== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-01-14T21:09:55Z" - mac: ENC[AES256_GCM,data:P8JSR3EqyuzK6PP3/KnIzsEIXXllCDMOfT2Aq+eiXuHE7w32BSdu8WTljOg8vWFH7jtZ1+P5Noi2F31r0CngMtrwxYKob43+HhQtw3VBNYTlZL6n01nK6qbKHncL8PuA4ieJJri+iItSKVc2ZKzXOyjmw+Z1Ij9xfUV872iO3cA=,iv:238Bm7mk9EAa/XR7LP5en9BTaoYKr0AAdMJO01PrYxE=,tag:I7KazGL7ORJZcJffJb9ZBw==,type:str] + lastmodified: "2024-01-14T21:35:39Z" + mac: ENC[AES256_GCM,data:kkH6Qc81/mmYA8paCGHlQt3K5BUntU7aQm9Rjtqf1rFHIjWFIbpguXPzl555BO4AxUGzNm+OMSIOejLq5GKJ1S749BeADxwExeeR/+zWqECeerQmBfaBQfb1kBr9KlMyhP03fOeUyX1GZmnFyFyAm/xCvW67hatHPKaRrMvSQIY=,iv:DtbabItptKBoibi4g69CLVviURhK5YgPnq3BBkmzhM0=,tag:LDUXWSOdvUGss2S5Oy5KQw==,type:str] pgp: - created_at: "2023-03-10T17:06:53Z" enc: | diff --git a/tf/.terraform.lock.hcl b/tf/.terraform.lock.hcl new file mode 100644 index 00000000..737fbd18 --- /dev/null +++ b/tf/.terraform.lock.hcl @@ -0,0 +1,25 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/cloudflare/cloudflare" { + version = "4.22.0" + constraints = ">= 4.22.0" + hashes = [ + "h1:blHUZFk/sm1K0ljOvL48xumk7+sWnn6RhSAEnR9AjMs=", + "zh:3fd76452845661d6536911fd0ec077531d46d0031b1b46139ea1eee6c926f714", + "zh:44ed58c11d3d1c51d6afa446692b441a89017798a15e7f5d5519a3c91935fc4c", + "zh:46f370d4509bdbbaed0b74218ae6532eaea101c6a94b6dcafd54fe2f79e0a521", + "zh:5e303fb782b42aede9a971adb559a5554461da05de9f71de7114db385c3161d3", + "zh:6c1f4ff22fe80098e4ec35c77c24e96a21a01239d06edfeb73956019409b9fee", + "zh:7a995be9edd05b17f33fa4928f847100949c2631c864119acf4c68221bf12a2c", + "zh:84100a29f7f754d37c8ac6e4d083cb33dd815819cf0f8f5ded42a272970a7b54", + "zh:890df766e9b839623b1f0437355032a3c006226a6c200cd911e15ee1a9014e9f", + "zh:959ab2fc75472f56a0935c8975e4e6772b708cf0a9d015f99db7663bfaa64776", + "zh:a7f3078eda0057dc8312fd233ca13674e58a1bb62e0652169f34795a4f243378", + "zh:b836b5631522d81fba4c70debf13cdc43a328548ad587f456632cf1dd2d190c2", + "zh:c097295f629e2cdfec44779d9ee0bd61c6ffc1f30b6428dce05eac740693182b", + "zh:cffb10d7e99b18910da2034c775b2bd7222c0860a20e560b0a35f5eeb8937eb6", + "zh:fb4170e6a7bf4150c0c928509b8db77c4322eeb47a3506cdc99250afb93fce46", + "zh:fd068410027acf7fd11864c9427ed1d7783ef2bc05eece01682e33a25c4119b0", + ] +} diff --git a/tf/cloudflare_provider.tf b/tf/cloudflare_provider.tf new file mode 100644 index 00000000..0c2e327c --- /dev/null +++ b/tf/cloudflare_provider.tf @@ -0,0 +1,19 @@ +variable "cloudflare_account_email" { + type = string + sensitive = false +} + +variable "cloudflare_account_id" { + type = string + sensitive = true +} + +variable "cloudflare_api_key" { + type = string + sensitive = true +} + +provider "cloudflare" { + email = var.cloudflare_account_email + api_key = var.cloudflare_api_key +} \ No newline at end of file diff --git a/tf/cloudflare_tunnels.tf b/tf/cloudflare_tunnels.tf new file mode 100644 index 00000000..b5b702bd --- /dev/null +++ b/tf/cloudflare_tunnels.tf @@ -0,0 +1,67 @@ +variable "cloudflare_tunnel_secret_tewi" { + type = string + sensitive = true +} + +module "tewi" { + source = "./tunnel" + name = "tewi" + secret = var.cloudflare_tunnel_secret_tewi + account_id = var.cloudflare_account_id + zone_id = cloudflare_zone.gensokyo-zone_zone.id + subdomains = [ + "home", + "id", + "login", + "z2m", + ] +} + +output "cloudflare_tunnel_id_tewi" { + value = module.tewi.id +} + +output "cloudflare_tunnel_token_tewi" { + value = module.tewi.token + sensitive = true +} + +output "cloudflare_tunnel_cname_tewi" { + value = module.tewi.cname +} + +variable "cloudflare_tunnel_secret_mediabox" { + type = string + sensitive = true +} + +module "mediabox" { + source = "./tunnel" + name = "mediabox" + secret = var.cloudflare_tunnel_secret_mediabox + account_id = var.cloudflare_account_id + zone_id = cloudflare_zone.gensokyo-zone_zone.id + subdomains = [ + "deluge", + "plex", + "sonarr", + "radarr", + "jackett", + "bazarr", + "tatulli", + "ombi", + ] +} + +output "cloudflare_tunnel_id_mediabox" { + value = module.mediabox.id +} + +output "cloudflare_tunnel_token_mediabox" { + value = module.mediabox.token + sensitive = true +} + +output "cloudflare_tunnel_cname_mediabox" { + value = module.mediabox.cname +} \ No newline at end of file diff --git a/tf/cloudflare_zones.tf b/tf/cloudflare_zones.tf new file mode 100644 index 00000000..2698419a --- /dev/null +++ b/tf/cloudflare_zones.tf @@ -0,0 +1,21 @@ +variable "bypass_cloudflare" { + type = bool + default = false +} + +variable "cloudflare_plan" { + type = string + default = "free" +} + +resource "cloudflare_zone" "gensokyo-zone_zone" { + account_id = var.cloudflare_account_id + zone = "gensokyo.zone" + paused = var.bypass_cloudflare + plan = var.cloudflare_plan + type = "full" +} + +output "gensokyo-zone_zone_id" { + value = cloudflare_zone.gensokyo-zone_zone.id +} \ No newline at end of file diff --git a/tf/terraform.tf b/tf/terraform.tf new file mode 100644 index 00000000..d460861c --- /dev/null +++ b/tf/terraform.tf @@ -0,0 +1,19 @@ +terraform { + required_version = ">= 1.6.0" + + required_providers { + cloudflare = { + source = "cloudflare/cloudflare" + version = ">= 4.22.0" + } + } + + cloud { + organization = "gensokyo-zone" + hostname = "app.terraform.io" + + workspaces { + name = "infrastructure" + } + } +} \ No newline at end of file diff --git a/tf/terraform.tfvars.sops b/tf/terraform.tfvars.sops new file mode 100644 index 00000000..51d43933 --- /dev/null +++ b/tf/terraform.tfvars.sops @@ -0,0 +1,27 @@ +{ + "data": "ENC[AES256_GCM,data:BAlScJC8cjQzPaiZyxFrfG4xbHxRmg//nJxolHgUU7Fchy+fKHE0X1iNvVvr5bObQ/hFxDAeIs32Xe0ZJ8cb+vuDFEFvjgXNzcpifpEXSeENIH1ojgFpY91g/eANUUcJc6H4C6kPAO140e1z/0gBeMTLvtiW5JZxIeSZ0zoFtKUWzVCduIisWz3cc8WMqQMmYuarvi4+GDf9u41fhCr/9uFYJaWdD1Wm1ZCERRCiUHKw0iuaBzcBXC0nIVKZ+UeprnHkHFx7QUeD28khoAwr5L8M/KYcHj8I3zcimYV1BisB+xyra3SvwK9kL2trSGgEFPZzss4tdodlf0tBhwX5iaJncKc8+6Rz2bFewtUymjrFlqEguhMjaR255v4FebWIa2kXsDQX8m5RrPX4ZEVbiDqW9FQ+exERvunzec6H63xEmlV3782SnpLhmY7wnalN8CFzoIvXX8bpWlMxzA8NwFvpF9hyYyHTE2d3MOSd34/8O6TTcouxyx+KbRmeE2wL16hy1PwHcMbnAKFGRtPAiBSzcG0byRjR111US0D1QeHXWxVtyaa8qua/wxpnVm8+re+TxVnRwBg0LFquCcwjDUkdVhCTA6l7G6A4B3rFHFS5EmM00woFhnEs/TiwrNwXkRK43s2WLLM+kLWO7oh/HnUTfB8O,iv:HAMNqftFG/je5o4vvQ9Cr+2JKmhC4xhOiyipm5GPFuU=,tag:9xEBj110g2A2uqchLxhi0g==,type:str]", + "sops": { + "shamir_threshold": 1, + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": null, + "lastmodified": "2024-01-14T20:55:09Z", + "mac": "ENC[AES256_GCM,data:GNh372+4iVRE/3fLBpQdaccJBMFsWibjPUkDmY+goAYjFvba/wLlViLiCkLGLhK7krdm0Ifc0pnf5n8X+vVdPZtwJ2MN12qw1qj2fcRRjJkxmoSA8GrVgGJQNUbhpO8CI6YUmvlC2UKW1KSg0A1PKh/T/vbmBRByQC8qkeMOVWc=,iv:KH6lSsEF4UrHc9YfhkXcg9uIjaMZh02thcNAom91ckw=,tag:a5z8ZkXbUFJiZrLCIXvvZQ==,type:str]", + "pgp": [ + { + "created_at": "2024-01-14T19:49:29Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA82M54yws73UARAAs7d2M7JcQBcza/HOGUz6EynNdsYC9aFfMRqIhJmToIrT\nHXBL15fOofyZoqUuWIO2xT7UlF2GqQRVn3eegppuiCv3UVcSAcblJmwZ+o30vuwq\nr4daD0vx9AsgzM0UA2GEO3LhnSObX3Z9e80XZfL4giusjVS39q2zw9Xbx/pzcoTN\nK6VEzM992Q8URa+k/q6XQizOhbmn94haHszKKuiXu9ft25ALc17CixQOexSeAZ/A\nu5Ipr9gq8EIk4wmz5fJbXn4JDIaO8xGpaeITzc+ZcP9+8ByyQXpOuSsZl3vvZDpi\n9cYqzjHrshK6FCVovBPCPf13d5MOhxR/jerkSNPi+wcAHpw2o34XnEiT8HOPZYH2\ngrxfiTCNw993M5OPlE2zi6gqbz3ajtcLEYS18n4Zt0t/VUL0Mgy1lGmh7s6Y40nX\n+NXUPl/w6QncvOSoUJDpNMflHxcTRnxf/z7m3KjQtiVwyiYAivUDQ+IqBPVwgT6+\nAwLcyYrRokLzHSUo40/CPluMrnCDvWfw/u1x49mUl0BCg/F4bICNSn7SH6H14k/8\nqyVJxKEgZgroUpF1e5TVfOjWYOADWNiAm5+mEOE5t8zG3DMqAUgjaJVK0Szkwv2h\nTwt15l+Yi+gHbAPnBskZpuISx+B3+9ogUWfEMkAO1pb+b7Cb9rX8IVGGFjtsSEzS\nXgFNl/Wi4sTopcaCbvC0/gY3NiT/tUlWRifTDMvxJn0Fk/6UDQvtQYIMYuqrCaWI\nnM0LncGQEjg7VkQHZaV6xOY33nz5/5f5NhgdCniNfM4ivFZl2JW261a4iIkOoIo=\n=2G2d\n-----END PGP MESSAGE-----", + "fp": "CD8CE78CB0B3BDD4" + }, + { + "created_at": "2024-01-14T19:49:29Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQEMA2W9MER3HLb7AQf8DrHkIV82/GIbNUP7shSOuJlDRuVb+6YJCJKg1wfG1980\nxdmJ6mpwZ/00sC7+ecTiTRqhCsruVX0y98GDkmNJWXWM8VQnkV1Y2m8SdmMg9or0\n7c1AvpALgruwfA1ptN5+Vftha69J/ap7IeRxBg2jF5j9RBOe2T4LaxUpI4AdHs+8\nWWCl+/Zj4IL4+Ko8Qvfb21p+ljqHkIrSOj5ehqrJTMtdbnmKfvnhPNu2LVltRRAg\nROhJ60rDKrstykAjfP+xGVsdS5b21CSm8v6I3s4lzT0wLpxYIeWVRek/TwSH2uxq\nI7jW+Y+uX1VljDfixbjzjRd6lJKu8aBfwf5FRfIZHNJeAVI35xYXsw6SPYK45fRP\nlFj4pN3UhEaqjQhF4FZKZyXiSdFKSjxWYzHfNDvR53z2MB2L5VSK510C7jmaKkSS\neXmCTIv68+B0v4bfP7cZsnB2Pr79Rlsh3DGxJ/0H7g==\n=Qe7C\n-----END PGP MESSAGE-----", + "fp": "65BD3044771CB6FB" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.8.1" + } +} \ No newline at end of file diff --git a/tf/tunnel/records.tf b/tf/tunnel/records.tf new file mode 100644 index 00000000..8639fb87 --- /dev/null +++ b/tf/tunnel/records.tf @@ -0,0 +1,19 @@ +variable "zone_id" { + type = string + sensitive = false +} + +variable "subdomains" { + type = list(string) + sensitive = false +} + +resource "cloudflare_record" "records" { + for_each = toset(var.subdomains) + name = each.value + proxied = true + ttl = 1 + type = "CNAME" + value = cloudflare_tunnel.tunnel.cname + zone_id = var.zone_id +} \ No newline at end of file diff --git a/tf/tunnel/terraform.tf b/tf/tunnel/terraform.tf new file mode 100644 index 00000000..dae5eb7d --- /dev/null +++ b/tf/tunnel/terraform.tf @@ -0,0 +1,10 @@ +terraform { + required_version = ">= 1.6.0" + + required_providers { + cloudflare = { + source = "cloudflare/cloudflare" + version = ">= 4.22.0" + } + } +} \ No newline at end of file diff --git a/tf/tunnel/tunnel.tf b/tf/tunnel/tunnel.tf new file mode 100644 index 00000000..b8fe5988 --- /dev/null +++ b/tf/tunnel/tunnel.tf @@ -0,0 +1,34 @@ +variable "account_id" { + type = string + sensitive = true +} + +variable "name" { + type = string + sensitive = false +} + +variable "secret" { + type = string + sensitive = true +} + +resource "cloudflare_tunnel" "tunnel" { + account_id = var.account_id + name = var.name + secret = var.secret + config_src = "local" +} + +output "id" { + value = cloudflare_tunnel.tunnel.id +} + +output "token" { + value = cloudflare_tunnel.tunnel.tunnel_token + sensitive = true +} + +output "cname" { + value = cloudflare_tunnel.tunnel.cname +} \ No newline at end of file